Debian cron complaining about log dir ownership since upgrade to Wheezy

apache-2.2debiandebian-wheezylogrotate

I'm getting errors from cron like this:

/etc/cron.daily/logrotate:
error: skipping "/var/log/apache2/access.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

The /var/log/apache2 dir is owned by root and has gid adm, which I believe is the way it should be. The /etc/logrotate.d/apache2 is the default for the distribution and this specifies create 640 root adm too.

So should I add su root adm to the logrotate file? And if I need to do this why is it not in the package maintained version?

Or is there something else awry?

EDIT as requested:

ls /var/log/apache2/ -ld
drwxrwx--- 6 root adm 24576 Nov 14 01:55 /var/log/apache2/

Best Answer

You should set /var/log/apache2/ as non-group-writeable. This would stop apache creating files in this dir, but this is OK if they already exist.

$ chmod g-w /var/log/apache2

(I'm still not sure that's right - what when a new virtual host is set up with new logfiles?)

Related Solutions

Centos – Logrotate Mysql – No rotate happens

Threre is no rotation, because you are using -d option. From manual:

-d Turns on debug mode and implies -v. In debug mode, no changes will be made to the logs or to the logrotate state file.

I have two suggestions:

Upgrade OS to x86_64 if possible, because you have 2,5GB memory limit per process
Don't use -pPassword parameter with mysql for security reasons, it's better to use --defaults-extra-file=path_to_extra, which is readable only by root. When somebody, who has access to server execute ps -ef | grep mysql, it will see root password for database.

Here is my logrotate /etc/logrotate.d/mysql script for mysql on CentOS 5 (mysql Ver 14.12 Distrib 5.0.77, for redhat-linux-gnu (x86_64) using readline 5.1):

# If the root user has a password you have to create a
# /.my.cnf configuration file with the following
# content:
#
# [mysqladmin]
# password = <secret>
# user = <username>
#
# where "<secret>" is the password and <username> is user.
#
# ATTENTION: This /.my.cnf should be readable ONLY
# for root !
/var/log/mysqld.log {
        create 640 mysql mysql
        notifempty
        missingok
        postrotate
                # just if mysqld is really running
                if test -x /usr/bin/mysqladmin && \
                   /usr/bin/mysqladmin --defaults-extra-file=/root/mysql/logrotate.cnf ping &>/dev/null
                then
                   /usr/bin/mysqladmin --defaults-extra-file=/root/mysql/logrotate.cnf flush-logs
                fi
                /usr/bin/chcon -u system_u -r object_r -t mysqld_log_t /var/log/mysqld.log
        endscript
}

Ubuntu – Logrotate: rotate all log files on specific size and rotate hourly

In order for it to have any effect, the cron script must be run at least as often as you want to rotate the files. Even though you are currently running the script once a day (from cron.daily), it will only change the files once a week (the weekly keyword in the logrotate script sets the default, this is overriden to monthly in the case of wtmp and btmp).

The version of logrotate on my nearest Linux box only does down to daily duration (although setting a size limit will force files to be rotated more frequently). Having said that, for most servers, log rotation is disruptive; if your objective is to conserve space then it might be more approriate to keep fewer history files and to compress them:

daily rotate 2 compress size 5M create include /etc/logrotate.d

/var/log/wtmp { missingok monthly create 0664 root utmp rotate 1 }
/var/log/btmp { missingok monthly create 0660 root utmp rotate 1 }

(Note the changes in the first line will have no effect if they are overridden elsewhere.)

Best Answer

Related Solutions

Centos – Logrotate Mysql – No rotate happens

Ubuntu – Logrotate: rotate all log files on specific size and rotate hourly

Related Topic